OFE Suggestions for Cybersecurity Act Trilogue

OpenForum Europe (OFE) appreciates and welcomes the progress made by
the co-legislators in improving upon the proposal of the Commission
and are pleased to see that many OFE core priorities are reflected in
both the Parliament’s Report as well as the Council’s General
Approach. OFE wishes to contribute to finding a timely conclusion to
the negotiations through the below suggestions.

On the Stakeholder groups, OFE would like
to stress that groups should be advisory to the Commission, ENISA and
Member States. Furthermore we suggested to take advantage of the
existing Multi Stakeholder Platform on ICT Standardisation (‘MSP’).
This group already convenes all major actors, such as Member States,
International, global and European Standard Organisations, consumer
groups and industry representatives involved in ICT standardisation.
For this reason we suggested to utilise the MSP by setting up a
specialised Task Force under the MSP as the Stakeholder advisory
body.

On the advisory bodies, Article 19(4) gives
wide ranging powers to the Executive Director to create and disband
groups. We strongly suggest that the agreed text should require one
advisory body for the certification framework and we would also like
to reiterate that there should be a provision in the agreed text
requiring consultation.

In regard to the possibility of self
assessment, many companies have established internal
certification labs, which can be used for self-assessment. Excluding
these labs from consideration for substantial and high levels of
assurance will increase costs with no tangible benefit. Moreover, the
naming of and interaction between assurance levels and evaluation
levels should be improved, as it currently is lacking. We do see the
benefit of evaluation levels and wish to see them preserved.

Lastly, pertaining to the provisions regarding a
work programme, we understand the concerns in regard to speed,
though we do see it as very important to have a robust up-front
understanding of which areas will be tackled and therefore support
such a work programme. The Annual Union Work Programme for European
standardisation provides a compelling example including the template
documentation utilised to optimise operational impact.